We’ve known for a while that Facebook is happy to pay so-called white-hat hackers for discovering bugs, with a minimum of $500 up for grabs for each flaw discovered. But one UK man has scored $20,000 from the social networking behemoth for reporting a significant bug that could’ve exposed millions of accounts to being compromized.

Researcher Jack Whitton reported his findings to Facebook on May 23, and the issue was fixed five days later. Whitton has outlined the flaw in his blog, but the gist of it is as follows:

“Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address.

The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to.

The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.”

The upshot of this is that it was possible to fool Facebook’s text message verification system into sending a password reset code for another person’s account, letting a would-be black-hat hacker reset a password and, thus, access their account. The fix was straightforward – Facebook simply no longer accepts the profile_id parameter from the user.

Clearly such a basic security flaw should never have existed within Facebook’s verification system, but that’s why it has the bug bounty in place. Indeed, other big tech firms adopt a similar system, including Google where one volunteer has earned $20,000 in a year spotting bugs.

Facebook used to have an upper limit of $10,000 in place for bugs spotted, but now says there is no maximum reward in place – “each bug is awarded a bounty based on its severity and creativity” – and only one bounty per bug will be awarded.